dnssec-trigger + GNOME + NetworkManager integration
Michael Catanzaro
mcatanzaro at gnome.org
Tue Jun 30 14:07:29 UTC 2015
On Tue, 2015-06-30 at 14:23 +0200, Tomas Hozza wrote:
> Except that this is exactly what we DON'T want to do. DNSSEC is an
> extension of DNS and it can be used even without the need for the
> whole
> Internet to be signed. We want to use it even if the network-provided
> DNS resolvers don't support DNSSEC.
I'm confused on one point: why would the user ever want to turn off
DNSSEC validation (except to get past a for captive portal)? It sounds
like you have no shortage of safeguards in place to make sure this
always works: for it to break the user would have to be on a network
that doesn't support DNSSEC, that blocks VPN, with the Fedora
infrastructure down, right? I think it's OK to fail connections in that
case (provided we have a story for captive portals).
What we basically do not want is to give the user an option for turning
a security feature off.
More information about the devel
mailing list